Monday, 2018-03-19

« Sunday, 2018-03-18 Index Tuesday, 2018-03-20 »
openstackgerritAdrian Turjak proposed openstack/keystone-specs master: Add spec for partial auth tokens  https://review.openstack.org/55367000:03
*** oikiki has quit IRC00:04
*** oikiki has joined #openstack-keystone00:07
*** oikiki has quit IRC00:07
*** oikiki has joined #openstack-keystone00:09
*** odyssey4me has quit IRC00:09
*** odyssey4me has joined #openstack-keystone00:09
*** oikiki has quit IRC00:11
*** r-daneel has joined #openstack-keystone01:06
*** zhurong has joined #openstack-keystone01:16
*** r-daneel_ has joined #openstack-keystone01:32
*** r-daneel has quit IRC01:33
*** r-daneel_ is now known as r-daneel01:33
*** zhongjun_ has joined #openstack-keystone01:35
*** oikiki has joined #openstack-keystone02:13
*** wes_dillingham has joined #openstack-keystone02:15
*** jdennis has joined #openstack-keystone02:25
*** annp has joined #openstack-keystone02:27
*** zhurong has quit IRC02:36
*** zhurong has joined #openstack-keystone02:37
*** germs has joined #openstack-keystone03:17
*** germs has quit IRC03:17
*** germs has joined #openstack-keystone03:17
*** namnh has joined #openstack-keystone03:21
*** germs has quit IRC03:22
*** rcernin_ has joined #openstack-keystone03:23
*** rcernin has quit IRC03:25
*** rcernin_ has quit IRC03:29
*** rcernin has joined #openstack-keystone03:29
*** rcernin has quit IRC03:33
*** rcernin has joined #openstack-keystone03:49
*** wxy has quit IRC03:56
*** wes_dillingham has quit IRC04:02
*** oikiki has quit IRC04:07
*** Dinesh_Bhor has joined #openstack-keystone04:14
*** bhagyashri_s is now known as bhagyashris04:33
*** bhagyashris is now known as bhagyashri_s04:33
*** bhagyashri_s is now known as bhagyashris04:33
*** oikiki has joined #openstack-keystone04:36
*** itlinux has quit IRC04:39
*** oikiki has quit IRC04:58
*** Dinesh__Bhor has joined #openstack-keystone04:59
*** Dinesh_Bhor has quit IRC05:00
*** zhurong has quit IRC05:04
openstackgerritMerged openstack/keystone master: Updated from global requirements  https://review.openstack.org/55396005:08
*** germs has joined #openstack-keystone05:18
*** germs has quit IRC05:23
*** openstackgerrit has quit IRC05:49
*** Suramya_ has joined #openstack-keystone05:49
*** Suramya has joined #openstack-keystone05:50
*** Dinesh__Bhor has quit IRC05:59
*** Dinesh_Bhor has joined #openstack-keystone06:01
*** Dinesh_Bhor has quit IRC06:22
*** Dinesh_Bhor has joined #openstack-keystone06:25
*** rsxruv has joined #openstack-keystone06:28
*** Dinesh_Bhor has quit IRC06:29
*** Dinesh_Bhor has joined #openstack-keystone06:31
*** d0ugal has joined #openstack-keystone07:00
*** d0ugal has quit IRC07:00
*** d0ugal has joined #openstack-keystone07:00
*** zhurong has joined #openstack-keystone07:01
*** rcernin has quit IRC07:07
*** oikiki has joined #openstack-keystone07:17
*** germs has joined #openstack-keystone07:18
*** germs has quit IRC07:18
*** germs has joined #openstack-keystone07:18
*** germs has quit IRC07:23
*** oikiki has quit IRC07:25
*** oikiki has joined #openstack-keystone07:28
*** martinus__ has joined #openstack-keystone07:34
*** pcaruana has joined #openstack-keystone07:39
*** AlexeyAbashkin has joined #openstack-keystone07:54
*** zhurong has quit IRC07:54
*** tesseract has joined #openstack-keystone08:17
*** aloga has quit IRC08:24
*** Dinesh_Bhor has quit IRC08:34
*** jaosorior has joined #openstack-keystone08:40
*** Dinesh_Bhor has joined #openstack-keystone08:40
*** oikiki has quit IRC08:56
*** hoonetorg has quit IRC09:19
*** hoonetorg has joined #openstack-keystone09:32
*** BlackDex has quit IRC09:34
*** Dinesh_Bhor has quit IRC09:34
*** BlackDex has joined #openstack-keystone09:35
*** gus has quit IRC09:43
*** jamielennox has quit IRC09:43
*** gus has joined #openstack-keystone09:44
*** jamielennox has joined #openstack-keystone09:48
*** namnh has quit IRC10:05
*** mvk has joined #openstack-keystone10:13
*** annp has quit IRC10:37
*** chason has quit IRC10:57
*** chason has joined #openstack-keystone10:58
*** edmondsw has joined #openstack-keystone11:14
*** edmondsw has quit IRC11:18
*** openstackgerrit has joined #openstack-keystone11:19
openstackgerritJohannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds  https://review.openstack.org/39633111:19
*** germs has joined #openstack-keystone11:20
*** germs has quit IRC11:20
*** germs has joined #openstack-keystone11:20
*** germs has quit IRC11:25
*** pcichy has joined #openstack-keystone11:27
*** chason has quit IRC11:35
*** chason has joined #openstack-keystone11:35
*** aloga has joined #openstack-keystone11:53
*** aloga has quit IRC11:54
*** raildo has joined #openstack-keystone12:04
*** aloga has joined #openstack-keystone12:07
*** wes_dillingham has joined #openstack-keystone12:14
*** edmondsw has joined #openstack-keystone12:15
*** chason has quit IRC12:19
*** chason has joined #openstack-keystone12:19
*** gyankum has joined #openstack-keystone12:22
*** dmellado has quit IRC12:24
*** chason has quit IRC12:25
*** chason has joined #openstack-keystone12:25
*** dmellado has joined #openstack-keystone12:27
*** wxy_ has quit IRC12:34
*** wxy_ has joined #openstack-keystone12:36
*** panbalag has joined #openstack-keystone12:41
*** odyssey4me has quit IRC12:42
*** odyssey4me has joined #openstack-keystone12:42
*** mvk has quit IRC12:44
*** panbalag has left #openstack-keystone12:52
openstackgerritJohannes Grassler proposed openstack/keystone-specs master: Add whitelist-extension-for-app-creds  https://review.openstack.org/39633113:02
*** ioni has left #openstack-keystone13:14
*** germs has joined #openstack-keystone13:21
*** germs has quit IRC13:21
*** germs has joined #openstack-keystone13:21
*** germs has quit IRC13:26
*** jroll has quit IRC13:42
*** jroll has joined #openstack-keystone13:43
*** mvk has joined #openstack-keystone13:54
knikollao/13:56
lbragstado/13:57
cmurphy\o13:57
knikollagot approval for Vancouver \o/14:04
openstackgerritLance Bragstad proposed openstack/keystone master: Add logging for xmlsec1 installation  https://review.openstack.org/55359214:04
*** wxy_ has quit IRC14:07
*** wxy_ has joined #openstack-keystone14:08
lbragstadknikolla: oh - nice!14:09
*** felipemonteiro_ has joined #openstack-keystone14:12
*** felipemonteiro__ has joined #openstack-keystone14:14
*** felipemonteiro_ has quit IRC14:18
*** spilla has joined #openstack-keystone14:29
*** felipemonteiro__ has quit IRC14:34
gagehugoo/14:35
*** gyankum has quit IRC14:36
*** felipemonteiro_ has joined #openstack-keystone14:42
*** Suramya has quit IRC14:48
*** Suramya_ has quit IRC14:48
*** itlinux has joined #openstack-keystone15:00
*** felipemonteiro_ has quit IRC15:04
*** felipemonteiro_ has joined #openstack-keystone15:05
*** wes_dillingham has quit IRC15:15
*** germs has joined #openstack-keystone15:22
*** germs has quit IRC15:22
*** germs has joined #openstack-keystone15:22
*** germs has quit IRC15:26
*** wxy_ has quit IRC15:40
*** wxy_ has joined #openstack-keystone15:41
*** wes_dillingham has joined #openstack-keystone15:46
*** jmlowe_ has quit IRC15:46
*** felipemonteiro_ has quit IRC15:46
*** josecastroleon has joined #openstack-keystone15:47
*** r-daneel has quit IRC15:54
*** markvoelker_ has joined #openstack-keystone15:56
*** markvoelker has quit IRC15:56
*** gyankum has joined #openstack-keystone15:59
*** markvoelker has joined #openstack-keystone15:59
*** gyankum has quit IRC16:00
*** markvoelker_ has quit IRC16:01
*** dtruong has joined #openstack-keystone16:02
*** pcaruana has quit IRC16:07
kmallocadriant: you cannot change what an issued token means16:21
kmallocadriant: period.16:21
*** panbalag has joined #openstack-keystone16:21
kmallocadriant: so pass back a data structure (do not pass back anything that looks like a token)16:22
kmallocadriant: pass back a structure that can say what the valid auth values are, but it must remain a 401 in this case16:22
kmallocthis isn't about being descriptive, you can pass back a json body with a 401.16:22
kmallocbut old clients need to work exactly the same in this case, if they don't understand MFA rules.16:23
kmallocyou cannot change 401->201 or 202 or anything else.16:23
kmallocthat is an API contract break, unless you change the AUTH path completely (see the spec on divorcing auth from versioned API)16:23
kmallocwhich opens the door to a lot of things.16:23
kmallocbut /v3/auth cannot change it's behavior, and partial tokens, 201, etc all is a change in behavior16:24
kmallocadriant: really, don't getme wrong, I want this to be better but I am held to API contracts =/16:24
kmalloci really want to communicate this, and it does likely mean re-passing the password data (you could offer a one-time hash of a password [with a salt] back that could be re-used without re-supplying the password itself)16:25
kmallocbut the tl;dr is "don't change the error code or behavior (especially of the auth path) of an existing API in keystone.16:26
kmallocmordred: ^ cc (since i know you'll want clear auth option info for future plans - and support, it will make things better for zuul and other consumers)16:27
*** r-daneel has joined #openstack-keystone16:27
kmalloclbragstad, cmurphy: ^ cc16:27
kmalloci'm holding the -2 on the spec because it is describing an API contract break (Explicitly)16:30
kmalloci want to better inform clients, but we cannot change the API behavior.. we can change the information returned in the 401 -- or we can change the auth path (see other specs)16:31
*** anyone is now known as meltdown_spectre16:42
*** meltdown_spectre is now known as anyone16:42
*** anyone is now known as teezod16:43
*** teezod is now known as anyone16:43
*** gyee has joined #openstack-keystone16:49
*** dikonoor has joined #openstack-keystone16:51
*** AlexeyAbashkin has quit IRC16:51
lbragstadstepping away to go for a run quick, but i'm going to review the yaml service catalog stuff and then queue up specs16:58
*** dtruong has quit IRC17:05
openstackgerritNicolas Helgeson proposed openstack/keystone master: Extend comparator support for project list by tags  https://review.openstack.org/52349917:10
cmurphykmalloc: adriant what if keystone continues to return a 401 but kept state internaly about the user's auth? then the body of the 401 would say "you're halfway done" and a second auth attempt with the second method could succeed?17:16
kmalloci'd pass back a seeded (time baseD?) hash in the 401 structure that can be validated.17:17
kmallocbut just to avoid stateful tracking17:17
kmalloci'm fine with that. the key is it has to remain a 401 unless we're changing the auth path (painful, sadly)17:18
kmallocs/fine with that/fine with what you suggested as well/17:18
cmurphythat sounds good too17:18
kmalloci think we should pass back enough info that the client can act on it.17:19
kmallocwhatever that means, but i worry about holding state because it means DB or similar entry that could get... well token table like ick17:19
kmalloc;)17:19
*** oikiki has joined #openstack-keystone17:21
*** d0ugal has quit IRC17:21
*** pcichy has quit IRC17:31
*** jessegler has joined #openstack-keystone17:31
*** techmagus463 has joined #openstack-keystone17:34
*** techmagus463 has quit IRC17:34
*** oikiki has quit IRC17:38
*** panbalag has quit IRC17:38
*** jmlowe has joined #openstack-keystone17:38
*** Supun has joined #openstack-keystone17:40
*** felipemonteiro_ has joined #openstack-keystone17:43
*** mvk has quit IRC17:44
*** dikonoor has quit IRC17:45
*** Supun has quit IRC17:46
*** Supun has joined #openstack-keystone17:47
*** oikiki has joined #openstack-keystone17:49
*** wes_dillingham has quit IRC17:49
lbragstadkmalloc: cmurphy could we only write the state if the user opts into mfa?17:52
lbragstador would we have to write state for every auth?17:52
kmalloci still worry about a large state table17:52
lbragstad(making authentication writable again, pre-fernet)17:53
kmallocbecause arguably lots of folks (and/or domains/sites) will opt into MFA17:53
lbragstadsure17:53
lbragstadthat's fair17:53
*** oikiki has quit IRC17:53
kmallocI'd rather do a stateless (HMAC'd?) part of the response that would work for auth17:53
kmallocin a short window17:53
lbragstadyeah17:54
*** oikiki has joined #openstack-keystone17:57
*** germs has joined #openstack-keystone17:58
*** germs has quit IRC17:58
*** germs has joined #openstack-keystone17:58
cmurphylbragstad: if stateful (but i like stateless better) we'd only need to keep track of users using MFA, otherwise if you got your password wrong you got your password wrong, done deal, no state needs to be recorded17:59
*** mvk has joined #openstack-keystone17:59
kmalloc++18:00
kmalloci mean we could still use Fernet code path [not token, actual just Fernet] for that short-window data.18:01
lbragstadsure - that works18:03
*** germs has quit IRC18:03
*** tesseract has quit IRC18:07
lbragstadthe yaml catalog stuff feels like it requires a specification18:09
kmallocyes18:09
lbragstadi can take a stab at that18:09
lbragstadi see we have a blueprint created already and the work to implement it is already associated to the blueprint18:10
*** wes_dillingham has joined #openstack-keystone18:18
*** AlexeyAbashkin has joined #openstack-keystone18:20
*** AlexeyAbashkin has quit IRC18:24
*** dave-mccowan has joined #openstack-keystone18:27
*** felipemonteiro__ has joined #openstack-keystone18:32
*** wxy_ has quit IRC18:33
lbragstadkmalloc: i might need you to poke some holes in what i'm writing...18:34
*** wxy_ has joined #openstack-keystone18:34
lbragstadi don't understand a lot of the oddities with the templated backend18:34
kmallocsure18:34
kmallocwill look18:34
lbragstadthat would make yaml a better option.18:34
lbragstadi'll post what i have in a few minutes, and just incorporate your comments for "this is better because" or "we should move away from the ``templated`` backend because"18:35
*** felipemonteiro_ has quit IRC18:37
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for yaml-backed catalogs  https://review.openstack.org/55432018:46
lbragstadkmalloc: ^18:46
lbragstadwxy_: ^18:46
*** openstackgerrit has quit IRC18:48
*** pcichy has joined #openstack-keystone19:05
*** jmlowe has quit IRC19:05
*** jmlowe has joined #openstack-keystone19:07
*** knasim-wrs has joined #openstack-keystone19:16
knasim-wrshey folks, I noticed that Ekystone has a "Parent Region" for each region. I was wondering if we should be setting the Parent Region for our secondary regions (such as in some of our Multi-Region deployments where Keystone is running as a shared service in the Primary region)19:18
knasim-wrsI googled a bit and the parent region seems to be used by keystone's OS-ENDPOINT-POLICY API (https://developer.openstack.org/api-ref/identity/v3-ext/#os-endpoint-policy-api19:18
knasim-wrshttps://developer.openstack.org/api-ref/identity/v3-ext/#os-endpoint-policy-api19:18
knasim-wrsI don't know what that does and whether we would want it to see our region deployment with parent/child relationship.19:19
knasim-wrsWhat do you think?19:19
knasim-wrs@lbragstad?19:19
*** pcichy has quit IRC19:20
*** AlexeyAbashkin has joined #openstack-keystone19:20
*** openstackgerrit has joined #openstack-keystone19:24
*** felipemonteiro_ has joined #openstack-keystone19:24
openstackgerritNicolas Helgeson proposed openstack/keystone master: Project Tags SQL Refactor  https://review.openstack.org/55432719:24
*** AlexeyAbashkin has quit IRC19:24
*** felipemonteiro_ has quit IRC19:25
*** felipemonteiro_ has joined #openstack-keystone19:25
*** jmlowe has quit IRC19:26
*** felipemonteiro__ has quit IRC19:27
*** jmlowe has joined #openstack-keystone19:27
adriantkmalloc: Ok, lets not call it a token, lets call it something else, but yes, lets use the fernet data model. That's ultimately all I need.19:29
adriantsome way to store the state IN keystone until the next attempt.19:29
adriantMake the expiry very short too19:29
*** jessegler has quit IRC19:30
adriantreturned hash password would still be a nope in my book, keystone should "retain the state". The reason I use the token term is because then the method for storing that state matches the token provider (fernet, jwt, uuid).19:31
adriantDo we even still have uuid as an option?19:31
adriantWe can always internally treat it as a partial token to reuse the same models and logic, but never outside of the internals call it a token.19:32
lbragstadknasim-wrs: that's a good question19:34
adriantI just for the life of me can't think of a different word for it other than token that fits, hence why just making it a new token type felt the most appropriate because ultimately it is very similar logic19:35
kmallocadriant: it should be stateless19:36
kmallocnot "Stateful"19:36
kmallockeystone should not maintain the state.19:36
adriantkmalloc: but yes, 401 is fine, we can return whatever we want in the header and the body19:37
kmallocadriant: and it will need to be something we can pull out of a 401 body19:37
lbragstadknasim-wrs: afaik - the parent_region_id isn't really used anywhere19:37
kmallocor header or whatever19:37
*** Supun has quit IRC19:37
adriantkmalloc: well not 'stateful' in the rest context, I mean it should act the same way as a token19:37
lbragstadknasim-wrs: i can try and dig up the specification to see if there were clear use cases in there19:37
knasim-wrslbragstad: Is it there for legacy reasons? I see a lot of Endpoint Policy stuff has been deprecated / removed in recent releases19:37
kmallocadriant: please do not call it a "token" in this sense.19:38
kmallocso we don't have confusion19:38
kmallocas well.19:38
adriantit shouldn't have a password actually in it, just the knowledge that a valid password was once passed.19:38
adriantkmalloc: is uuid tokens still a thing?19:38
kmallocthe idea behind the "hashed" password would besomething like a re-round hashed hash of the stored password hash19:38
cmurphymaybe it's more like a "receipt" than a token?19:38
kmallocso we could compare19:38
kmallocadriant: assume uuid tokens are deprecated and gone19:38
adriantty19:38
lbragstadknasim-wrs: original specification - http://specs.openstack.org/openstack/keystone-specs/specs/keystone/juno/endpoint-policy.html19:38
adriantk then just use the fernet model for this19:38
adriantwell, logic not model19:39
kmallocadriant: so, when i said hash, i was thinking something like: password-hash (scrypt or so) the stored hash, and include a timestamp19:39
adriantbut it won't always be password19:39
kmallocso we could use that as a secret that keystone can verify19:39
adriantwhat if I auth with totp first or some other method?19:39
lbragstadi think we'll need a separate key repository for MFA then19:39
kmallocthen you're doing it wrong :P19:39
cmurphywhy does it need anything to do with a password? why not just a random timestamped string?19:39
kmalloclbragstad: yes, that is a concern19:39
adriantit needs to be ANY method19:39
kmallocadriant: note the ':P'19:40
adriantif we assume password then we're doing it wrong19:40
kmallocsarcasm is lost in irc often19:40
adriantkmalloc: it is :(19:40
adriantbut that's my reason for wanting a receipt19:40
kmalloccmurphy: as long as it's something we can validate as "ours" as stateless, i don't care what goes in it19:40
adriantcmurphy: I'm ok with receipt19:41
lbragstadthere's always a video call to hash out things like this - sarcasm included ;)19:41
adriantwe could, but then real yelling is always an option :P19:41
lbragstadknasim-wrs: it looks like henry and ayoung implemented it - i can try and follow up with them about the parent region id bits19:41
knasim-wrsthanks19:42
adriantkmalloc: so 401 is ok, and a not-token receipt that sort of acts like a token works?19:42
adriantwill that work for you and still solve what I need?19:42
kmalloca non-token receipt that can be acted on is fine.19:42
adriantk19:42
adriantkmalloc: that's the middle ground I need to make this work :)19:42
adriantI'll update the spec, and I'll try and make it to the meeting this tuesday (wednesday for me)19:43
adriantI'd like to get the spec into a state we're ready to review by then19:43
* adriant should get out of bed and actually head to the office...19:44
openstackgerritNicolas Helgeson proposed openstack/keystone master: Extend comparator support for project list by tags  https://review.openstack.org/52349919:45
*** openstackgerrit has quit IRC19:48
*** felipemonteiro__ has joined #openstack-keystone19:48
*** openstackgerrit has joined #openstack-keystone19:51
openstackgerritNicolas Helgeson proposed openstack/keystone master: Project Tags SQL Refactor  https://review.openstack.org/55432719:51
*** felipemonteiro_ has quit IRC19:52
*** felipemonteiro__ has quit IRC19:59
*** germs has joined #openstack-keystone20:00
*** wes_dillingham has quit IRC20:00
*** felipemonteiro_ has joined #openstack-keystone20:00
*** felipemonteiro_ has quit IRC20:00
*** felipemonteiro_ has joined #openstack-keystone20:01
*** germs has quit IRC20:04
*** felipemonteiro__ has joined #openstack-keystone20:06
*** felipemonteiro_ has quit IRC20:09
openstackgerritNicolas Helgeson proposed openstack/keystone master: Project Tags SQL Refactor  https://review.openstack.org/55432720:10
openstackgerritNicolas Helgeson proposed openstack/keystone master: [WIP] Extend comparator support for project list by tags  https://review.openstack.org/52349920:18
*** AlexeyAbashkin has joined #openstack-keystone20:21
*** AlexeyAbashkin has quit IRC20:26
*** jmlowe has quit IRC20:51
*** dtruong has joined #openstack-keystone20:59
lbragstadkmalloc: qq on one of your comments here - https://review.openstack.org/#/c/554320/121:03
lbragstadwhen you say "Changing the format of the ini breaks current deploys using it." what exactly do you mean?21:03
kmallocif you change the ini input21:04
kmallocit breaks folks21:04
kmallocalso the template is an on-disk file21:04
lbragstadoh - like changing the key/value part?21:04
kmallocyeah21:04
lbragstadis the same true if you rename a service using the sql backend?21:04
*** itlinux has quit IRC21:06
lbragstadi completely understand the whole usability of modeling complex catalogs with ini-style configs21:07
kmallocno because the service is all relational in sql.21:09
kmallocwell it's mostly relational21:09
*** wes_dillingham has joined #openstack-keystone21:10
lbragstadahh21:10
lbragstadi see21:10
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for yaml-backed catalogs  https://review.openstack.org/55432021:12
*** jessegler has joined #openstack-keystone21:27
*** raildo has quit IRC21:30
*** felipemonteiro__ has quit IRC21:32
*** jmlowe has joined #openstack-keystone21:34
*** gyee has quit IRC21:50
*** spilla has quit IRC21:56
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for yaml-backed catalogs  https://review.openstack.org/55432021:59
*** martinus__ has quit IRC21:59
openstackgerritLance Bragstad proposed openstack/keystone-specs master: Specification for yaml-backed catalogs  https://review.openstack.org/55432022:00
*** germs has joined #openstack-keystone22:00
*** germs has quit IRC22:00
*** germs has joined #openstack-keystone22:00
*** germs has quit IRC22:05
*** AlexeyAbashkin has joined #openstack-keystone22:20
*** AlexeyAbashkin has quit IRC22:25
*** rcernin has joined #openstack-keystone22:34
*** edmondsw has quit IRC22:49
*** oikiki has quit IRC23:01
*** david-lyle has joined #openstack-keystone23:01
*** AlexeyAbashkin has joined #openstack-keystone23:20
*** AlexeyAbashkin has quit IRC23:24
*** masber has joined #openstack-keystone23:27
*** r-daneel has quit IRC23:49
*** jessegler has quit IRC23:52
« Sunday, 2018-03-18 Index Tuesday, 2018-03-20 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!